diff --git a/core/modules/editor/src/EditorXssFilter/Standard.php b/core/modules/editor/src/EditorXssFilter/Standard.php index 3cf484e..5360c51 100644 --- a/core/modules/editor/src/EditorXssFilter/Standard.php +++ b/core/modules/editor/src/EditorXssFilter/Standard.php @@ -91,9 +91,9 @@ public static function filterXss($html, FilterFormatInterface $format, FilterFor $output = parent::filter($html, $blacklisted_tags); - // Since data-*-attributes can contain encoded markup that could be decoded - // and interpreted by editors, we need to apply XSS filtering to their - // contents. + // Since data-attributes can contain encoded HTML markup that could be + // decoded and interpreted by editors, we need to apply XSS filtering to + // their contents. return Standard::filterXssDataAttributes($output); } @@ -105,6 +105,7 @@ protected static function filterXssDataAttributes($html) { $dom = Html::load($html); $xpath = new \DOMXPath($dom); foreach ($xpath->query('//@*[starts-with(name(.), "data-")]') as $node) { + // Decode, filter, encode. $value = String::decodeEntities($node->value); $value = Xss::filterAdmin($value); $node->value = SafeMarkup::checkPlain($value); diff --git a/core/modules/filter/src/Tests/FilterUnitTest.php b/core/modules/filter/src/Tests/FilterUnitTest.php index c9eff5f..6eee637 100644 --- a/core/modules/filter/src/Tests/FilterUnitTest.php +++ b/core/modules/filter/src/Tests/FilterUnitTest.php @@ -199,11 +199,8 @@ function testCaptionFilter() { }; // Editor XSS filter. $test_editor_xss_filter = function ($input) { - $filtered_html_format = FilterFormat::create(array( - 'format' => 'filtered_html', - 'name' => 'Filtered HTML', - )); - return Standard::filterXss($input, $filtered_html_format); + $dummy_filter_format = FilterFormat::create(); + return Standard::filterXss($input, $dummy_filter_format); }; // All the tricky cases encountered at https://drupal.org/node/2105841.